Anyone know what this is? ZoneAlarm pops up asking if I want to let this file access the network.
It's a 28k file in the Windows directory with no modified date.
Didn't find anything with a google search.
Printable View
Anyone know what this is? ZoneAlarm pops up asking if I want to let this file access the network.
It's a 28k file in the Windows directory with no modified date.
Didn't find anything with a google search.
I'd guess it's a trojan but don't recognize the filename. Do you have TDS-3 ?
Hi mawil - Housecall picks up most trojans. You can run a free online scan here
No TDS-3. I've tried housecall before, a long time ago. It didn't want to work on my system. :confused:
I also did a restore of a backed up drive image and it got rid of it for a little while. Then it came back last nite.
My cable access has been down over the weekend and I'm connecting using free Juno right now. Soon as the cable is back up, I'll give Housecall another try.
mawil, You could also go to the link below and download "The Cleaner" which has a Free 30 day Trial Period and is excellent at detecting & removing any Trojans your computer may have picked up.
http://www.moosoft.com/thecleaner/
HTH
Tufenuf
Tufenuf, I've scanned with eTrust AV, The Cleaner and Tauscan.
Nothing shows up. :eek:
mawil, I found a few references to that file here.
http://groups.google.com/groups?as_q...59-1&lr=&hl=en
You may want to try renaming the file to scrsvr.exe.old and see if it causes any problems. It's worth a try.
Tufenuf
Mawil,
If you do decide to try HouseCall anyways, make sure you have all your other anti-virus, etc shut down. In fact, have everything else shut down except what you need to connect. :)
Have you run AdAware?
It's interesting that most of those references that Tufenuf found are the last couple of days. Can you look through any logs and see what type of request it was. Can you zip the file and email it to me? There's been an interesting rise in udp port 137 stuff over the last couple of days.
mawil, Below is how someone else corrected the scrsvr.exe file problem.
Well, I answered my own questions!!! Am I a computer detective or WHAT......I tried to delete that scrsvr.exe file and it wouldn't let me@%^#@?"}, so I rebooted to DOS and deleted it there..........that HD noise was beginning to drive me crazy, and so I reboot and guess what.......no more noise! whaddarelief.
Sue
She also edited the win.ini file as shown below.
I just had the W32 Hai worm and it was renamed but it keeps causing a notice on bootup that there's a file (caused by the worm)that can't be found; I find a line in the win.ini in sysedit that says run=thefilename.exe,c:/windows/scrsvr.exe
She followed the editing instructions at this link.
http://securityresponse.symantec.com....hllw.hai.html
Tufenuf
I aggree with Tuf follow what he says, most trojan accsess files are about that size, and when you rid yourself of that file an error will come up saying the file is missing anyways, so go into windows sys.ini or win.ini and search for any entries with the file name you provided and delete just the name from you dir. had about 4 differnt trojans so i have had some experience ridding myself of them, and just a tip: never download file about that size unless you reall know what it is!!!
Well, I didn't download it. Just don't know where it came from. I did go into dos this morning and deleted it. Just got off work and am going to edit win.ini, etc. now.
I wonder why it came back after doing the drive image restore? That is what is scary. :eek:
IMM, as I said, I deleted the file this A.M., but if it comes back again, I'll certainly send it to you.
I just edited my win.ini file and no more messages at startup.
I did find another reference to it in my windows\applog file, scrsvr.lgc.
Got rid of it too.
I think it's a spy file attached to a program you downloaded.
CHeck this out anyway:
http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.html
Prophet,
I haven't downloaded anything lately. And why would it come back after restoring a previous image from a month ago?
After deleting one more file in the windows registry (that thing was everywhere), I went to Housecall and ran their online scan on ALL of my drives. It shows I'm clean.
Your link gives me a blank page. :confused: Got another one?
I particularly like the part of prophet's link that says Discovered on: September 30, 2002 :)
The fixed link is
http://securityresponse.symantec.com...serv.worm.html
There's been a boom in UDP port 137 activity since about the 26th - and this is network aware - I wonder ??
Well I discovered it on the 28th. :D
Thanks for the link. I also just deleted the tmp.ini file. According to Symantec, maybe I should create a new one?
Nope. windows doesn't use one - and if it was me I'd like to know if something else was re-creating it - but if you do that as symantec suggests in an attempt to prevent re-innoculation - then mark it read only (and perhaps hidden?).
Didn't mail me that file either I see :D
Actually, it's still in the recycle bin. Do you want it? :D
Yup - zip it first tho'
[email protected]
temp.zip is on it's way. :)
Got it - thx.
Guess using ZA - you probably have no reference to which port it wanted?
Here's a pretty picture :)
http://isc.incidents.org/port_details.html?port=137
Glad you got it. I'm gonna delete it for good now. :) No idea what port. My internet access was down Saturday and Sunday and I had already deleted it by the time access was restored today.
The only reason I noticed it was because ZA said it was trying to access the LAN.
Strange that I was surfing Friday nite when the file was apparently created the first time and ZA didn't report it trying to access the net. Could be I had to reboot before it was activated?
Nice picture. That's quite a jump. :eek:
Could be I had to reboot before it was activated?
Very likely as it loads through Run keys and the "win.ini" file.
That tmp.ini file appears to be a win.ini file which contains:
[windows]
load=
run=c:\windows\scrsvr.exe
ScreenSaveActive=1
ScreenSaveTimeOut=60
lines. (some elements which relate to your printer - I've removed from the section)
I haven't looked through it thoroughly yet.
Is there anything in c:\windows\wininit.bak - or is there a wininit.ini?
Crazy thought, but I allow WinMx to act as a server thru ZA. Don't remember if I was downloading anything with it friday nite, but it would have been a couple of files I had started some time ago and was trying to complete. Those particular files show up clean on the housecall scan though.
Could something have "sneaked" in thru the WinMx server?
If so, that is really scary.
OK...this is crazy. It's back. I'm gonna zip it and send it to you.
I also removed winmx from ZA permissions completely and deleted the partial downloads I had.
Don't know enough about WinMX to say but I see no reason why not.
Those particular files show up clean on the housecall scan though.
Discovered on: September 30, 2002
What are the odds it's in their signature files yet? From what little I know about it at this point - it sure seems easy to detect (hope that lasts - but...)
They have it.
Opasoft
(Sorry. This thread should have been in Internet Security/Viruses. Didn't know what it was going to turn into.)
True - but at this point I'll bet it's a lot easier to detect the infection rather than the infector. (assuming there is a file that will spread it as well as simple net shares)
I've had those files sitting on my hard drive for several days now. Looks like they would have infected me before now.
probably - it's got the sherlock in me going - but with nothing to chew on :)
Just looked and it was back in win.ini but not the registry or the applog folder. Did you get the file?
I did have an error about a file mismatch on one of the files I was downloading. Just can't remember if it was Friday nite or not.
Makes you go Hmmmmm.
Got the exe - thx. It'll be a while before I know anything (assuming I can figure out anything at all). A quick glance shows quite a bit of network awareness (WSAStartup etc.) as well a mutex. It may (guessing heuristically) have been written in Delphi - but I've very little at the moment.
Are you on a home network - where one computer can reinfect the other? If you want to try and scr*w it up on the reboot perhaps try the tmp.ini file and see if it hiccups? Again - is there anything in wininit.ini at the moment?
Did a search and don't find wininit. ini.
I just fired up WinMx again and gave it server rights. Boom. The scrsvr.exe was back again.
Think I'll create a tmp.ini and have a go at it. ZA won't let it access the other computer on the lan. It's shut down anyway.
Very interesting. Created a tmp.ini file in root directory. scrsvr.exe is in windows. Rebooted computer and no alerts. Nothing in win.ini, regsitry or applog folder and tmp.ini is still 0 KB.
If you're in the mood to look around - you might look at your proxy settings in IE as well.
Here are some strings of interest if you're interested in searching your registry and harddrive.
These 2 files are mentioned as local infects by Symantec
ScrSout.dat
ScrSout.dat
The registry key
Software\Microsoft\Windows\CurrentVersion\Internet Settings
is referenced but I haven't looked to figure out if it's HKCU or HKLM (or both)
There is also
opasoft
in a variety of url strings
as well as
CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
which is a mangled wildcard name of
*\0\0\0........
which makes it look like it comes from the network.vbs family?
I may get back to it later tonite.
I don't use IE. Just started using Mozilla. Switched from netscape.
Didn't find the dat files and in registry when checking for opasoft got urls for msn.com and trendmico. (I did use IE to go to housecall. Wouldn't work otherwise.)
:confused:
Strange that this post happened to show up as I was looking thru the forums tonight. I logged on to my computer tonight and Norton AV showed a virus on file windows/system/scrsvr.exe. It could not quarantine it and it could not delete it. I was going to go to DOS and delete it there, but I misread the name of the file and could not find it (scrnsvr.exe). Rebooted to Windows and then Norton AV was able to quarantine it.
However, Windows said it could not find scrsvr.exe and it needed to to start some programs. I did not write down the exact wording, and when I opened IE, everything seems to be working fine.
Norton AV shows that it is W32.Opaserv.Worm.
I have never dug very deep into the computer, so if Windows needs this file to do anything, how do I get an uninfected file?
Hi goldbrick44 - have a look in your win.ini file and see if the below line is there. If it is put a ; in front of it and see if windows still asks for the file.
run=C:\WINDOWS\SCRSVR.EXEc:\windows\scrsvr.exe
Have a look here